[00:15.040 --> 00:21.360]  Hello, everyone. Welcome back to DEF CON 28 Safe Mode, Blue Team Village live stream.
[00:21.360 --> 00:25.240]  Today, we're going to be talking with, I'm not talking, but he'll be talking,
[00:25.240 --> 00:31.960]  Connor Morley, discussing Outer Haven, the UEFI memory space decision to be misused.
[00:32.200 --> 00:36.720]  Reminder, if you have any questions for the speaker, you can obviously reach them at their
[00:36.720 --> 00:41.840]  Twitter handle, DM them within the Discord channel, or reach them on the Flamingo Hotel
[00:42.400 --> 00:49.300]  Text Talks Track 1. We'll be watching for questions there. And over to you, Connor.
[00:49.620 --> 00:54.220]  Thank you very much. So, hi, everyone. My name is Connor Morley. I'm a threat hunter with
[00:54.220 --> 01:00.940]  F-Secure Countercept, which is an MDR DRT service. Today, I'll be talking about the UEFI memory space,
[01:00.940 --> 01:05.900]  how it can be exploited by a range of attackers, and how it can defend against it.
[01:05.900 --> 01:11.800]  And I give it the app name of Outer Haven. So, proper agenda. What we're going to run through,
[01:11.800 --> 01:17.940]  I'm going to do a quick crash course on what exactly UEFI is, why this is of interest to
[01:17.940 --> 01:26.100]  attackers and defenders, how to exploit the UEFI memory space, regardless of your technical
[01:26.100 --> 01:32.320]  expertise. So, all the way from APT actors, all the way down to script gettys. You better go over
[01:32.320 --> 01:37.720]  some of the issues with defending against exploitation of this memory sector, how we
[01:37.720 --> 01:43.860]  can overcome those difficulties and monitor this memory area, and what this means for us as an
[01:43.860 --> 01:51.040]  industry. So, let's dive straight in. The crash course of what exactly is UEFI. So, a lot of people
[01:51.040 --> 01:57.240]  may have heard the term UEFI, but may not know exactly what it is. So, UEFI stands for the
[01:57.240 --> 02:03.080]  Unified Extensible Firmware Interface. It's the successor to BIOS. Most people will be familiar
[02:03.080 --> 02:09.420]  with BIOS, the basic input-output system. It interfaces between the mechanical elements of a
[02:09.420 --> 02:15.880]  system and its operating system. So, effectively, it works as a translation layer between the
[02:15.880 --> 02:22.520]  operating system and the firmware for the hardware of your device, hence a firmware interface. So,
[02:22.520 --> 02:29.600]  for example, if the operating system requests a file to be opened, the file command gets run
[02:29.600 --> 02:36.520]  from the OS through the UEFI to the firmware of your storage device. It then allocates that
[02:36.520 --> 02:42.080]  memory sector and returns it, and then that's how it's read, as a very, very general basic overview.
[02:42.320 --> 02:48.320]  It's key for all system functionality. It conducts all boot operations. It can, as I said,
[02:48.320 --> 02:58.000]  conducts all interfaces between the software and the hardware, and it is essential in all
[02:58.000 --> 03:02.220]  modern computers. So, it is found everywhere, regardless of the operating system that you're
[03:02.220 --> 03:09.660]  using. It's also widely considered far more secure than BIOS. So, we introduced the concept
[03:09.660 --> 03:15.240]  of something called Secure Boot. So, Secure Boot is the idea that when drivers are loaded at boot
[03:15.240 --> 03:22.100]  time, their OEM signature is checked in order to guarantee and verify that they're the correct
[03:22.100 --> 03:31.960]  and authorized driver. This idea of Secure Boot actually eliminated a really easy physical access
[03:31.960 --> 03:37.340]  bypass to older machines, which basically means as soon as you had physical access to a machine,
[03:37.340 --> 03:44.020]  you could easily bypass any security. One of the key things to mention about UEFI is that it is
[03:44.020 --> 03:50.360]  stored on an independent chip on your motherboard, an NVRAM chip, which is totally isolated. It's
[03:50.360 --> 03:56.480]  its own independent component of the machine, and it is attached to the motherboard. So, it's
[03:56.480 --> 04:03.480]  completely isolated from everything else. It is its own piece of kit. So, just to really
[04:04.580 --> 04:11.420]  intensify and solidify where this sits in your computer. So, the UEFI, as I said, sits between
[04:11.420 --> 04:18.880]  the operating system and firmware, and the firmware that talks to the hardware. So, the operating system, if it wants to talk to your hardware, has to go through the UEFI.
[04:20.620 --> 04:25.780]  It is essentially just a translation layer of operating system commands
[04:25.780 --> 04:31.880]  down to firmware layer commands to receive whatever the operating system needs the host to do.
[04:33.100 --> 04:38.420]  So, most people, when you're talking about UEFI and BIOS, they'll think of this sort of screen.
[04:38.420 --> 04:44.760]  Your boot screen, sometimes with the boot menu or BIOS settings as one of those options at the bottom.
[04:44.760 --> 04:48.800]  But the majority of the users will see this sort of screen and just, you know,
[04:48.800 --> 04:55.960]  as it boots up your computer and not the device. Some people will obviously go into those settings,
[04:55.960 --> 05:02.520]  which looks something like this. So, on the left, you have the older BIOS settings configuration menu,
[05:02.520 --> 05:09.820]  and on the right, you have the newer UEFI interactive GUI. So, one of the things that
[05:09.820 --> 05:15.580]  UEFI actually allows to do is the use of graphical user interfaces, which is not available in BIOS.
[05:15.580 --> 05:21.260]  This allows for, as you can see, this is there. It allows for branding, it allows for, you know, CPU
[05:21.260 --> 05:27.960]  temperatures and all this sort of stuff. It also allows for point and click, so the use of a mouse, whereas BIOS doesn't.
[05:27.960 --> 05:34.900]  This is to do primarily with how EFI operates using EFI binary files, which allows for these
[05:34.900 --> 05:41.800]  layers to be put on top of it. Again, this allows for security settings, it allows for the boot
[05:41.800 --> 05:47.960]  order to be configured, and such things like that. So, most people will think this is sort of the limit
[05:47.960 --> 05:52.920]  of what you can, or this will be like the limit of what most people have dealt with, but the UEFI
[05:52.920 --> 06:00.600]  itself is actually a lot more complicated. It does a lot more in relation to your host, and it runs
[06:00.600 --> 06:06.380]  the entire time that your computer is operating, and so it's not just the boot service, it's
[06:06.380 --> 06:14.280]  fundamental to all operations of all modern hosts that you find around the world. So, there's a lot
[06:14.280 --> 06:20.260]  more to it that a lot of people are not privy to, but the key thing to know is it is always active,
[06:20.260 --> 06:27.140]  is essential, and it's isolated from the rest of the system.
[06:27.720 --> 06:37.840]  So, why is UEFI interesting to attackers and defenders alike? So, why are attackers, red team,
[06:37.840 --> 06:44.360]  is looking at UEFI? So, as I said earlier, the UEFI is isolated from the rest of the system on its own
[06:44.360 --> 06:48.700]  little island of silicon. So, it's segregated from the rest of the system by design.
[06:50.580 --> 06:55.780]  Because it's isolated, it's not well known about, and it's considered quite low-level technology,
[06:55.780 --> 07:02.000]  it's commonly overlooked in a lot of attack situations, and normally isolated to the
[07:02.000 --> 07:09.460]  sort of APT rootkit sort of attack frameworks and methodologies and TDPs. So, it's
[07:09.460 --> 07:14.280]  normally overlooked in most operations by defenders, so it gives this sort of idea that
[07:14.280 --> 07:21.720]  it's lucrative and valuable to pro attackers. The other thing to note is that remediation of
[07:21.720 --> 07:28.960]  anything on the UEFI is really difficult. With a lot of components on the machine,
[07:28.960 --> 07:32.420]  obviously you can chop and change them, hard drives, RAM, CPU, all that sort of stuff,
[07:32.420 --> 07:38.200]  if you really had to. Changing the UEFI, if you had to, much more difficult. A lot of the time,
[07:38.200 --> 07:43.520]  they're soldered onto the motherboard. So, as you can imagine, changing that is a real pain.
[07:43.960 --> 07:49.860]  And even removing it, obviously, interactively through an interface can be really tricky if
[07:49.860 --> 07:56.860]  you don't have experience with UEFI. So, as I said, there's a whole section later on that I'm
[07:56.860 --> 08:01.360]  going to cover about why remediation is difficult, and I'm going to go over that in a lot more
[08:01.360 --> 08:08.420]  detail. One of the other things to note about UEFI is that by standard, by the standards of UEFI,
[08:08.420 --> 08:16.040]  everything written to it is automatically put as a system. So, it's non-volatile and everything
[08:16.040 --> 08:21.300]  that's written will automatically stay there throughout boot. Which, as you can imagine,
[08:21.300 --> 08:28.480]  from a sort of persistence attack methodology sort of mentality, is inherently quite valuable.
[08:29.460 --> 08:34.640]  So, although this is why attackers are looking at it, why are they looking at it now? What
[08:34.640 --> 08:41.040]  exactly has changed? So, as I said, it's normally put as being rootkits and little
[08:41.040 --> 08:45.700]  actors, ATPs, because it's a complex sort of area and a lot of people overlook or don't really
[08:45.700 --> 08:51.880]  understand. But what's happened is that since Windows... actually, since Windows XP,
[08:51.880 --> 08:57.180]  surprisingly, but more recently since Windows Vista and onwards, Windows has... Microsoft
[08:57.180 --> 09:06.100]  has gradually introduced more runtime access to the UEFI memory space. So, UEFI runs boot
[09:06.100 --> 09:11.560]  services and runtime services, and through the iterations of Windows and obviously their
[09:12.620 --> 09:19.060]  updates and newer versions, they've steadily introduced more and more runtime service access
[09:19.060 --> 09:25.880]  to the UEFI memory space. So, research done last year at DEF CON, DEF CON 27, Michael Liebowitz
[09:25.880 --> 09:32.980]  and Tova Timson, they did a whole presentation on this type of attack, about how to avoid
[09:32.980 --> 09:39.740]  threat hunters and EDR by utilizing the UEFI memory space, because it avoids detection.
[09:39.940 --> 09:43.740]  I was really recommending their research, really cool stuff, and obviously this is where
[09:43.740 --> 09:50.180]  this entire piece of research stemmed from. And they went into how they could use native
[09:50.180 --> 09:58.000]  Windows API functions to read and write into the UEFI memory space. So, originally, when I
[09:58.000 --> 10:02.580]  first saw their talk, I thought, oh, this is worrying, but surely there must be a way around
[10:02.580 --> 10:10.000]  this. Again, this is a section that will come later on, but it was a gap that was found, or
[10:10.000 --> 10:15.660]  that I, when looking into it, I did see was in the security defensive structure.
[10:17.160 --> 10:22.140]  So, because of their research, there is now very, because, not because of the research,
[10:22.140 --> 10:28.220]  but because of Microsoft's expansion, which is runtime service access, there is, by their
[10:28.220 --> 10:34.840]  exposure, Windows API basic functionalities that allow read and write access into this lucrative,
[10:34.840 --> 10:39.740]  sort of, not well understood memory sector that's isolated from the rest of the system,
[10:39.740 --> 10:49.620]  which is pretty valuable. So, how is it that the UEFI memory space is exploited? All the way
[10:49.620 --> 10:59.180]  from the APT actors, all the way down to script kitties or, you know, newer attackers. So, the way
[10:59.180 --> 11:07.980]  that Leibovitz and Timson exposed was to use C-sharp precompiled payloads using
[11:07.980 --> 11:14.120]  kernel32.dll exploit functions and get firmware environment variable ex and set firmware
[11:14.860 --> 11:20.660]  environment variable ex. As you can imagine, these are the read and write functions.
[11:21.440 --> 11:27.960]  With these two methods, an attacker can install a payload into this memory space and then create
[11:27.960 --> 11:34.000]  an external persistence mechanism to read from this isolated memory space at a later point or
[11:34.000 --> 11:40.520]  by a trigger in order to run a more malicious or internal payload or a beacon or agent or anything
[11:40.520 --> 11:47.660]  like that from the UEFI memory space. This obviously requires the payloads to be pre-built,
[11:47.660 --> 11:51.280]  so they have to be obviously targeted and have an understanding of where they're going and
[11:51.280 --> 11:55.300]  what they can leverage out of the environment they're going into.
[11:56.620 --> 12:04.440]  It also has to specify, at the time of compilation, the variable names and the GUIDs
[12:04.440 --> 12:09.060]  or the vendor IDs of the variable they're going to be injecting into the memory space.
[12:09.580 --> 12:13.980]  And because of this, and obviously you have to have an understanding of how C-sharp can be used for
[12:16.280 --> 12:22.180]  API DLL interactions in order to leverage the kernel32.dll in order to access the UEFI and
[12:22.180 --> 12:26.860]  write into it. So you have to have a good understanding and preparedness of who you're
[12:26.860 --> 12:30.940]  going to attack, how you're going to attack them, and obviously an understanding of the
[12:30.940 --> 12:37.880]  programming language itself in order to utilize it. So as attack methods go, this is quite advanced
[12:37.880 --> 12:42.460]  compared to obviously just copying and pasting off the internet and running it as you like.
[12:43.980 --> 12:48.760]  You also have to have an understanding of UEFI variable constructs, their attributes,
[12:48.760 --> 12:53.540]  and how they're constructed. So there's a lot of layers to this sort of attack, but it is
[12:53.540 --> 12:59.540]  very powerful and if leveraged correctly, as they demonstrated, was very effective.
[13:00.020 --> 13:05.120]  I decided to approach this from another angle. So instead of going for something pre-compiled
[13:05.120 --> 13:12.140]  and thought about what if we could just do like a drive-by sort of attack. So we went back to the
[13:12.780 --> 13:23.140]  tried-and-true PowerShell, which is able to leverage the same DLL import functionality.
[13:23.500 --> 13:30.840]  So ignoring high-level codes, we found that the same functionality into the UEFI
[13:30.840 --> 13:34.760]  memory space read and write could be emulated in PowerShell just as effectively.
[13:36.800 --> 13:40.480]  You can do this as a PowerShell script, or you can actually do it as a
[13:40.480 --> 13:45.400]  on-the-fly sort of write to terminal and execute, and both work just as well.
[13:45.400 --> 13:50.700]  The only caveat for both attacks is that it has to be run at an administrative level.
[13:50.700 --> 13:57.190]  The reason for this is the session that you're using in order to have firmware edit privileges,
[13:57.640 --> 14:02.180]  you have to do token escalation that can only occur as an admin.
[14:04.760 --> 14:11.700]  So emulating what Tinsman and Leibovitz did, I was able to
[14:13.180 --> 14:17.140]  replicate theirs as a PowerShell, as I said, as a script and as a drive-by,
[14:17.860 --> 14:25.060]  and they were both extremely effective and fully functional. It was only after I translated
[14:25.060 --> 14:30.640]  their C Sharp code into PowerShell, I found that a guy called Michael Nehas,
[14:30.640 --> 14:36.940]  sorry if I'm pronouncing that wrong, he's actually already written a PowerShell module online which
[14:36.940 --> 14:42.900]  you can download and import, which has the read and write functionality nicely wrapped as two
[14:42.900 --> 14:50.380]  separate functions, arguments, and all this sort of stuff, making the copy-paste of my
[14:51.660 --> 14:57.060]  PowerShell scripting even easier and much smaller because you don't have to take into account the
[14:57.060 --> 15:01.500]  token escalation and importing the APIs and understanding how to do that. It does it all
[15:01.500 --> 15:10.440]  for you. So we've gone from pre-compiled targeted C Sharp payloads to very small on-the-fly copy-paste
[15:10.440 --> 15:16.420]  PowerShell scripting, which as you can imagine if you put that online anyone can tweak the payload
[15:16.420 --> 15:26.100]  and start playing around with it and it's much easier to do much quicker. So I made some POC code,
[15:26.100 --> 15:29.240]  there's a link at the end to a repository where this is available to everyone.
[15:30.620 --> 15:37.920]  So the POC code is PowerShell dumps a reverse shell payload, the idea is that it dumps a reverse
[15:37.920 --> 15:44.140]  shell payload into your file and then immediately runs it. So it's just a write, read, execute.
[15:44.140 --> 15:48.340]  Obviously in the real world, as I said earlier, you'd obviously write it to the memory space,
[15:48.340 --> 15:53.400]  you'd create persistence, read it later, extract it and execute. For a PSA this seemed to work
[15:54.680 --> 16:03.600]  very well. When I tested this, so the antivirus I was using on the host, Windows 10,
[16:03.600 --> 16:09.240]  it detected obviously the reverse shell when it was running to memory, which is what you'd expect,
[16:09.240 --> 16:16.740]  but it didn't terminate it and it didn't remove the payload itself from the UFI memory space. So
[16:16.740 --> 16:25.180]  the payload itself was still on the host even after the AV had flagged it, which I'll demonstrate
[16:25.700 --> 16:35.240]  later. As an extra point, this will tie into the defensive problems later, as an attacker,
[16:35.240 --> 16:40.180]  you might want to do is the first write operation you have into a UFI memory space and the persistence
[16:40.180 --> 16:47.120]  that you create, when you run that first payload, delete the original entry into UEFI and the
[16:47.120 --> 16:52.160]  persistence and recreate it again. The reason is that the payload inside the first UEFI, if they
[16:52.160 --> 16:56.980]  find the way that you've injected into it, they can obviously trace that back and figure out what
[16:56.980 --> 17:01.960]  you put there or what you've labeled it under and things like that. Whereas if you do it a second
[17:01.960 --> 17:06.980]  time from an encoded or encrypted payload inside the UEFI that you then extract and run again,
[17:06.980 --> 17:13.140]  it becomes much, much harder for investigators to track that from a point of infection to where
[17:13.140 --> 17:20.920]  you're going and what you're doing. So now comes the tricky bit. I do have a demo. So the demo
[17:20.920 --> 17:28.340]  has been created, just as a heads up, to... it was OBS of a virtual machine, however it is
[17:28.900 --> 17:36.700]  fairly small. So I do apologize. The videos themselves are available afterwards. They'll be
[17:36.700 --> 17:46.340]  available for people to look over. And it will be a good description of what's going on. So this is the first one.
[17:46.340 --> 17:54.080]  So this screen shows the drive by header that I'm going to be using in Notepad. As you can see, it's
[17:54.080 --> 18:03.680]  in byte arrays. So I copy that. This payload is fully available from the repository that's available
[18:03.680 --> 18:11.320]  at the end. This is pasted into the administrative PowerShell terminal. As you can see the whoami
[18:11.320 --> 18:20.380]  cm underscore test. That's now being executed. So that's being written into the UEFI memory space
[18:20.380 --> 18:24.720]  and then being extracted and executed. So we're going to go to my attack box
[18:25.780 --> 18:32.800]  where I have a reverse TCP handler waiting for the connection from the POC code,
[18:32.800 --> 18:38.440]  which is going to be extracted from UEFI memory. So we give that a few seconds.
[18:43.080 --> 18:49.760]  And there it is. So that's the reverse shell from the UEFI hosted payload. And the whoami shows
[18:49.760 --> 18:57.360]  that it is cm underscore test. So it's the same machine that we just ran the PowerShell POC code on.
[19:01.140 --> 19:06.980]  One thing to note is that the PowerShell instance in that case will be running
[19:14.660 --> 19:26.520]  in the background. So when you execute the outputs of the PID
[19:26.520 --> 19:33.280]  of the PowerShell instance that it's going to be running as a POC code, obviously in real attacks
[19:33.280 --> 19:37.160]  you wouldn't keep it as a PowerShell instance. You might migrate it to something else, but
[19:38.500 --> 19:48.260]  they're irrelevant. So that's basically the advance of moving from generating
[19:48.260 --> 19:52.680]  payloads and then targeted attacks all the way down to copy pasting and getting the same effect.
[19:52.680 --> 19:57.760]  So that's the attack side of it, but what about defending? So there are a number of issues with
[19:57.760 --> 20:03.960]  defending UEFI memory space. And to understand these issues, it's good to understand why
[20:03.960 --> 20:11.020]  Microsoft has slowly included more access controls to this memory space in their iterative versions.
[20:12.100 --> 20:19.060]  One of the main reasons is the simplification for firmware updates and maintenance.
[20:19.060 --> 20:27.820]  So for example, if you're a vendor of any sort of hardware, if you want to update the
[20:27.820 --> 20:33.840]  firmware of your device in the old versions, you would have to run the update and or you'd have to
[20:33.840 --> 20:40.780]  do specialized boot time scans in order to check that it was the correct version. Whereas now using
[20:40.780 --> 20:46.680]  these interfaces, the operating system is able to run software that can check the installed version,
[20:46.680 --> 20:52.180]  make sure it's compatible, the right type, the right vendor, so on and so forth. It's also able to
[20:52.180 --> 20:57.420]  change the boot order from runtime, so you no longer have to go into the UEFI or BIOS menu.
[20:57.420 --> 21:03.060]  You can just do that straight from the operating system, which obviously is much more user-friendly
[21:03.060 --> 21:09.900]  for a lot of users. One of the interesting things is that in development of Windows, they
[21:09.900 --> 21:16.500]  use UEFI variables and memory space for crash dump data. So if you ever run
[21:16.500 --> 21:20.760]  Windows Developer Editions and you have a crash, you'll find that it will output
[21:21.500 --> 21:26.880]  crash data to the UEFI memory space because it's non-volatile by nature.
[21:26.900 --> 21:30.480]  They know that it will be stored and it will be safe so that they output there.
[21:32.600 --> 21:38.940]  Yeah, so it allows for just much easier maintenance and upgrading and
[21:38.940 --> 21:47.240]  patching of the firmware level of a machine. But what restrictions are there
[21:47.240 --> 21:55.500]  on this variable access that Windows has introduced? Well, none, effectively. The only restriction I could
[21:55.500 --> 22:03.020]  find was a variable size. Over a certain size, when you try to extract it, you might have some
[22:03.020 --> 22:09.020]  issues because it assumes that it's going to be a certain size. You can overload the UEFI if you
[22:09.020 --> 22:14.740]  try hard enough, although I haven't actually tried that and I don't recommend it.
[22:15.740 --> 22:21.060]  You must provide, if you want to read data from UEFI, you must provide the variable name and the
[22:21.060 --> 22:27.820]  GUID or the vendor ID to access that particular variable's data.
[22:28.840 --> 22:34.760]  And this is where the trouble arises from. There is no currently
[22:34.760 --> 22:40.640]  available way to enumerate the variables, well, there wasn't, available way to enumerate the variables
[22:40.640 --> 22:47.280]  on the UEFI RAM chip at runtime, with only one exception, which Ligritz and
[22:49.180 --> 22:53.620]  Timzen demonstrated last year. I couldn't find any other except for one exception, which I'll
[22:53.620 --> 22:59.200]  cover in a second. Therefore, users, software systems, operating systems, anything like that, can only
[22:59.200 --> 23:04.200]  access variables that they already know exist and they already have the necessary credentials for.
[23:04.320 --> 23:11.000]  So, from a defense point of view, that creates an issue. If an attacker creates a new variable
[23:11.840 --> 23:15.960]  with a randomized name and a GUID that's non-specific,
[23:17.140 --> 23:23.540]  an attacker, a defender, can't enumerate these variables and therefore can't analyze what's
[23:23.540 --> 23:29.800]  inside the UEFI memory. So these, any nasties they put in there, effectively go undetected
[23:29.800 --> 23:34.160]  because the defender doesn't know where they're called and can't extract them, can't access them.
[23:34.960 --> 23:40.620]  So, the only exception that was found was a tool called Chipsack. It was designed by the
[23:40.620 --> 23:49.900]  guys over at Intel. It's a deep firmware security analysis and repair tool. It's really powerful.
[23:50.360 --> 23:56.320]  I was quite impressed with it. It does output the UEFI variables at runtime. It was the only
[23:56.320 --> 24:03.240]  tool, and I did a lot of searching, and I found it did that. But the tool itself, even in their
[24:03.240 --> 24:09.340]  reputations, they say it's not for production. It's for development only. It's very large. It's
[24:09.340 --> 24:15.220]  quite clunky. It requires the installation of a custom kernel driver, and it also requires the
[24:16.720 --> 24:22.680]  disablement of certain security functions in order for it to operate, which obviously,
[24:22.680 --> 24:28.860]  as a defense software, if you're going to be using this remotely in production, is counterintuitive.
[24:28.860 --> 24:36.620]  Although it does what I was looking for, it wasn't capable of doing it in the way that was required.
[24:43.320 --> 24:46.900]  Although those are the difficulties, how do you monitor the memory space?
[24:47.820 --> 24:54.520]  I tested a lot of methods in order to try and find runtime access and enumeration.
[24:54.900 --> 24:59.840]  This is just a few of them, but I spent a lot of time going through these methods.
[25:00.320 --> 25:08.740]  Examination of runtime enumeration. First of all, I looked at the UEFI specification itself,
[25:08.740 --> 25:16.020]  which is really extensive. There are lots of sections that explain how you can enumerate UEFI
[25:16.020 --> 25:23.560]  variables, but they mainly focus on what's called the EFI shell, which is a specialized
[25:23.560 --> 25:29.760]  shell that can be accessed at boot time in order to interface with the EFI layer of your device.
[25:29.760 --> 25:36.240]  It requires a custom loader to be put normally on removal medium, which you then
[25:36.240 --> 25:40.900]  access and it provides the shell. So the specification provides a lot of information
[25:41.960 --> 25:46.580]  about commands that can be run in this particular terminal, this sort of environment, in order to get
[25:46.580 --> 25:53.120]  these variables, but not enough really to do it from runtime. So it was inconclusive and I
[25:53.120 --> 25:56.240]  couldn't find runtime services from the specification, unfortunately.
[25:58.660 --> 26:03.240]  Attempts to... so the operating system, as I said, Windows introduced the interaction for the
[26:03.240 --> 26:09.420]  operating system to have access and control over certain elements of UEFI. So UEFI should have
[26:09.420 --> 26:17.280]  an understanding of what is in there. So analyzing how the operating system interfaces with the UEFI
[26:17.840 --> 26:26.620]  showed that it works off of a database inside the isolated EFI partition of your hard drive.
[26:26.920 --> 26:34.620]  From that partition, it then interfaces with a file called BCD, which is a registry file,
[26:34.620 --> 26:40.740]  so key value pairs, which effectively match up to the values that it already knows about
[26:40.740 --> 26:47.360]  at installation. So backtracing this all the way down. By the way, the BCD file in the EFI
[26:47.360 --> 26:51.800]  partition is held by system, so you can't access it from while you're running the Windows system,
[26:51.800 --> 27:00.720]  which was always a fun caveat. So the operating system only knows what it knows at installation,
[27:00.720 --> 27:06.640]  it can't enumerate what is in the EFI memory space. So unfortunately, that was a dead end.
[27:08.660 --> 27:13.680]  I turned back to Chipseq as it was the only tool that I could find that did what I was looking for,
[27:13.680 --> 27:18.400]  and the source code is fully available online, which is really, really cool, a really good thing
[27:18.400 --> 27:25.040]  to look at. So I began looking at how it functions, I began following its procedures and how it
[27:25.040 --> 27:33.200]  accesses the memory. On assessment, I found that it imported something called EDK2, which seemed to
[27:33.200 --> 27:45.140]  be very important in EFI enumeration. Effectively, what the EDK2 does is, after a lot of time playing
[27:45.140 --> 27:51.040]  with it, extracting it, running it independently from Chipseq, which was very difficult, I found
[27:51.040 --> 27:57.640]  that instead of accessing it from runtime, what EDK2 does is it creates what's called an EFI
[27:57.640 --> 28:05.600]  payload, which can be run within an EFI shell to output specific results. So it's more like a
[28:05.600 --> 28:15.100]  compiler for EFI payloads or capsules, as you may call them, which was run from
[28:15.100 --> 28:22.200]  Chipseq for, I think, mainly for remediation or repairs to the firmware. Unfortunately, it didn't
[28:22.200 --> 28:27.900]  do what I was looking for, which was obviously runtime enumeration. So the operating system
[28:27.900 --> 28:32.220]  doesn't enumerate, it only has a list of what it already knows. The specification didn't provide
[28:32.220 --> 28:38.060]  the information I was looking for, and the tool under analysis that I knew could do it,
[28:38.060 --> 28:42.700]  I stumbled at the first hurdle and couldn't figure out how it was operating.
[28:42.700 --> 28:48.060]  So I ended up kind of down a rabbit hole for quite a while, trying to dig myself out of it.
[28:48.060 --> 28:55.420]  Eventually, I did basically knuckle down and get back to Chipseq, and I spent a lot of time
[28:55.420 --> 29:02.280]  following it, debugging it, really analyzing how it worked. And eventually, I figured out
[29:02.280 --> 29:10.920]  through its abstract process how it accesses the UEFI memory space from runtime. And to do this,
[29:10.920 --> 29:20.660]  it uses an undocumented function of the NTDLL.DLL file called NTEnumerateSystemEnvironmentVariable
[29:20.660 --> 29:28.320]  values EX. And what this command does is it extracts the variable information within UEFI
[29:28.320 --> 29:35.620]  to a buffer of your creation, which can then be extracted and carved to find each variable within
[29:35.620 --> 29:44.400]  it. So you run this function from the NTDLL. It provides a data blob in a buffer, which you can
[29:44.400 --> 29:50.580]  then loop through and carve and extract all of the variables for analysis. And this proved to be
[29:50.580 --> 30:00.900]  the saving grace. From the Chipseq tool, I extracted the methodology, I put it in a lightweight wrapper,
[30:01.440 --> 30:08.780]  really analyzed it, put it through its paces. The resulting POC code, which is in Python,
[30:08.780 --> 30:17.740]  runs on everything Windows 7 forwards that I tested. It should, in theory, run on Windows XP
[30:18.580 --> 30:25.020]  because the function within NTDLL was introduced in one of the NTDLL versions, which was released
[30:25.020 --> 30:30.820]  alongside a Windows XP Service Pack 2. So technically, it should run on Windows XP,
[30:30.820 --> 30:37.660]  but I didn't try that one. It does check if the system you're on is UEFI-based before it allows
[30:37.660 --> 30:46.180]  it to run, which is obviously something else to note. As it uses the native NTDLL.dll, which is
[30:46.180 --> 30:51.660]  found on every single Windows host, you're not required to install anything custom except for
[30:51.660 --> 30:57.540]  Python, but also run the POC code. So it leverages local files in order to enumerate this memory
[30:57.540 --> 31:04.140]  space. As with the attacks, it must be run as admin because of the token escalation that's
[31:04.140 --> 31:11.940]  required for firmware access. But as you can see from the left, when running this POC Python code,
[31:11.940 --> 31:17.860]  it did successfully dump all of the AFI variables, including the malicious codes that were
[31:17.860 --> 31:26.600]  not defined anywhere else, and allowed them for analysis as byte data and as translated Unicode.
[31:27.020 --> 31:33.260]  So we've gone from a very large, powerful, clunky tool to a very lightweight,
[31:33.260 --> 31:40.880]  wrapped Python script, which can run on any Windows host post-Windows 7.
[31:42.600 --> 32:02.430]  I do have another demo for that. Bear with me. So this just shows some Python code.
[32:03.110 --> 32:07.250]  We're now going to run that Python file, Python 2.
[32:09.770 --> 32:15.130]  As you can see, it's outputting the AFI variables nice and clearly. As you can see, the ones going
[32:16.330 --> 32:20.050]  past, although it may be quite small on your screen, is showing the DefCon demo.
[32:21.010 --> 32:28.430]  P2 entries, that was from the attack that I demonstrated earlier, along with the associated
[32:28.430 --> 32:37.210]  byte data and the Unicode of the reverse TCP payload that I generated using NSFenum.
[32:40.200 --> 32:50.560]  There we are. That on the left there is DefCon demo-p1. That's an example of how that works.
[33:02.240 --> 33:09.780]  So now we have a good understanding of how this attack can be used at all range of attack levels
[33:09.780 --> 33:15.720]  and how it can be monitored and defended against. Very lightweight and integrated into defensive
[33:15.720 --> 33:26.620]  software. What does this mean for computer users and as researchers? Everyone can be targeted.
[33:26.620 --> 33:31.740]  Equally, everyone can patch them now. So despite the obvious ease with which all
[33:31.740 --> 33:38.500]  critical attackers can leverage this memory space using the API function exposed last year,
[33:39.340 --> 33:43.800]  and as I've demonstrated, it can be all the way up from defined calculated attack
[33:44.980 --> 33:48.550]  methodology all the way down to drive-by copy-pasting,
[33:50.810 --> 33:57.390]  defenders equally now have the equal ease in accessing and enumerating this memory space
[33:57.390 --> 34:07.070]  for analysis. So although standard hunting procedures or antivirus or defensive technologies
[34:07.070 --> 34:13.770]  may not look into this currently, the integration of such technologies now is very, very easy.
[34:14.490 --> 34:25.330]  So integration into standard detection rules, processes, techniques, and defensive software
[34:25.330 --> 34:31.550]  is extremely easy using the lightweight capabilities that I've outlined, which effectively
[34:31.550 --> 34:38.650]  neuter this as a malicious haven on all available modern operating systems, modern hosts.
[34:39.610 --> 34:47.750]  It also allows for increased sort of research in this area. So although we now can monitor this,
[34:47.750 --> 34:54.290]  there may be custom payloads that they use that are specific, or there might be malware variations
[34:54.290 --> 34:59.550]  that are specific for leveraging this memory space, which allow us to create custom rules
[34:59.550 --> 35:06.810]  and remediation methods in order to remove this as a threat. So as we can now enumerate
[35:06.810 --> 35:14.090]  these malicious payloads when they're on a unified memory space, it also allows us to
[35:14.090 --> 35:19.890]  remediate it by leveraging the same capabilities of the attackers, the read-write. If a defender
[35:19.890 --> 35:24.610]  knows what the payloads are called and where they're stored, they can overwrite and remove
[35:24.610 --> 35:31.690]  their payloads from the victim's host. So we are in a situation now where attackers have this
[35:31.690 --> 35:37.570]  capability to leverage this isolated memory space, but defenders equally have the same
[35:38.410 --> 35:44.870]  level of ease in order to monitor and neuter any attempts to leverage it.
[35:46.430 --> 35:53.330]  So that's me. That's my email, if anyone has any questions. The GitHub below is the
[35:54.010 --> 35:58.810]  repository with the POC codes, as well as the full research paper, which outlines
[35:58.810 --> 36:05.770]  processes taken and has a lot more technical information than this presentation. So if anyone
[36:05.770 --> 36:11.650]  does have any questions, please feel free to email me. There's also the talk.txt channel,
[36:11.650 --> 36:16.190]  if anyone has any questions there. Or please feel free to direct message me, and I will answer
[36:16.190 --> 36:22.170]  any questions that I'm capable of. And I look forward to hearing from you guys.
[36:24.310 --> 36:29.110]  The last slide I have prepared. So please, if anyone has any questions, do just let me know.
[36:29.110 --> 36:34.430]  Thank you very much. Thanks a lot, Connor. Appreciate it. Good talk. Thank you.
